If you are responsible for the security of SAP systems in your company, you might want to continue reading as we want to share some results from doing SAP Security assessments over the past 7 years. In short; it’s not as good as customers often think it is.
Perception typically within SAP running organizations is that their SAP systems are well protected. Reality is that at every customer assessed so far, we found critical vulnerabilities that gave full control to (big parts of) their SAP infrastructure. For the WHY and HOW this happened; please see some of our earlier posts and presentations. In this blogpost we want to zoom in on some of the most important vulnerabilities found in SAP systems and some guidance on how to solve / prevent them.
The below table shows a subset of most common critical vulnerabilities that we encountered in customers SAP systems over the past years and the percentage of systems we found them in:
*1 Default ABAP users, but also DB and OS as for example HANA Root password HP appliances *2 Multiple vulnerabilities like gw/logging activated, no reg_info or sec_info files or P * * * in ACL's *3 Hana secure store and ABAP/JAVA secure store combined
The above table only shows the Very-High and High vulnerabilities that we commonly see. What it does not show are very specific Operating System-specific or Database-specific vulnerabilities as well as the many hundreds of MEDIUM to VERY LOW vulnerabilities. The above list shows the most critical vulnerabilities that you should definitely address to lower risk, but keep in mind that fixing the above will not have your SAP systems completely secured. Also: Some vulnerabilities are found in a low number of systems, for example a vulnerable invoker servlet in 12% of all Java systems. Still this can be critical for the rest of the landscape as the compromise of one system might lead to a full compromise of big parts of the rest of the landscape.
Now that you have a list and some numbers, it is logical to check your own SAP systems for these vulnerabilities. If you do find some of these vulnerabilities in your systems (don’t forget to check ALL systems, including that forgotten sandbox system which might be connected to other systems), a logical next thing to do is to try and mitigate them. Especially since the above vulnerabilities can cause high risk in your SAP infrastructure and therefore to your business. The time and effort it takes to fix individual vulnerabilities depends heavily per item. If you search for their names on the SAP Help pages or on SAP Security notes search you can find lots of references to fix those items. Furthermore there are some really good guides available that help you further, make sure to at least check the Secure Configuration Guide and the Securing Remote Function Calls guide that provide guidance on solving several items from the above list.
If you want more information on the above or with questions; please feel free to reach out to us or to one or our partners. As a final note, also read about a great cooperation (Dutch) with our partner TheNextView at Prorail.